webao/webAO/client.ts, branch master WebAO fork Add passkey authentication (WebAuthn) 2026-04-18T16:52:23+00:00 Osmium Sorcerer os@sof.beauty 2026-04-07T13:19:40+00:00 aa4c30bb6d1e46b5019065fba6c0eb3c08aa1f34 Bring in the subprotocol (the same as what's used on the desktop client for public-key authentication) to carry the relevant messages: - AuthRequest: first step in the flow, the client sends it to signal the intent to authenticate to the server. - AssertCredential and AssertionFinish: server's challenge and client's response, respectively, to finalize the flow. - RegisterCredential and RegistrationFinish: same structure as the above. Unlike the simple public-key auth with an out-of-band setup, passkeys require user interaction to register. User must be authorized. Validate all relevant checks on the API side, and hand the data over to the server for it to verify attestations and assertions. Because it's a primary auth mechanism (not a second factor), require user verification. As we don't use any other method on web, add a passkey button as the only sign-in interface. Passkeys are discoverable, we don't even need a username. 
Bring in the subprotocol (the same as what's used on the desktop client
for public-key authentication) to carry the relevant messages:

- AuthRequest: first step in the flow, the client sends it to signal the
  intent to authenticate to the server.

- AssertCredential and AssertionFinish: server's challenge and client's
  response, respectively, to finalize the flow.

- RegisterCredential and RegistrationFinish: same structure as the
  above. Unlike the simple public-key auth with an out-of-band setup,
  passkeys require user interaction to register. User must be
  authorized.

Validate all relevant checks on the API side, and hand the data over to
the server for it to verify attestations and assertions.

Because it's a primary auth mechanism (not a second factor), require
user verification.

As we don't use any other method on web, add a passkey button as the
only sign-in interface. Passkeys are discoverable, we don't even need a
username.
Remove defunct CAPTCHA 2026-04-18T16:52:23+00:00 Osmium Sorcerer os@sof.beauty 2026-04-07T03:16:18+00:00 ae7ef2c6c76947ea12cbb1592152d9c80fd1a8f3 The hCaptcha integration has been abandoned for a while. It added yet another questionable third-party API (which also set a Cloudflare cookie), and its effectiveness is unclear considering its client-side nature. A custom CAPTCHA implementation (such as PoW challenge) is an interesting prospect, but it'll require proper server-side support. 
The hCaptcha integration has been abandoned for a while. It added yet
another questionable third-party API (which also set a Cloudflare
cookie), and its effectiveness is unclear considering its client-side
nature.

A custom CAPTCHA implementation (such as PoW challenge) is an
interesting prospect, but it'll require proper server-side support.
Replace cookies with localStorage 2026-04-18T16:52:23+00:00 Osmium Sorcerer os@sof.beauty 2026-04-07T02:55:26+00:00 4bd750ca1f3e446f68e0f88fabf0682fd4d61848 Cookies's use case is to store persistent data and send it to the server in subsequent requests, such as to remember logged-in sessions. WebAO is using them to store site settings like ad-hoc hash tables that require parsing and serialization. As a nasty side-effect of how cookies work, clients send all their settings every time they connect to the server. Server has absolutely no use for them, but each client sends them anyway, which is an uncalled-for privacy leak. Remove this mechanism entirely, switch to localStorage which serves exactly the purpose of per-origin store with data that never leaves the browser. 
Cookies's use case is to store persistent data and send it to the server
in subsequent requests, such as to remember logged-in sessions. WebAO is
using them to store site settings like ad-hoc hash tables that require
parsing and serialization.

As a nasty side-effect of how cookies work, clients send all their
settings every time they connect to the server. Server has absolutely no
use for them, but each client sends them anyway, which is an
uncalled-for privacy leak.

Remove this mechanism entirely, switch to localStorage which serves
exactly the purpose of per-origin store with data that never leaves the
browser.
Guess WSS, not WS, if the schema isn't set 2026-04-18T16:52:22+00:00 Osmium Sorcerer os@sof.beauty 2026-03-31T14:23:41+00:00 14b8190d1e0efdfd7b2650923f7b014614dcf937 






Change image extension priority
2026-04-18T16:52:22+00:00

Osmium Sorcerer
os@sof.beauty

2026-03-16T16:19:15+00:00

29571c0da3b3a588b57125e5dc56eaa78639c1b7

Sometimes, WebP icons won't load despite extensions.json clearly
defining it as the only extension used for all image data.

I suspect there's a race condition between fetching extensions.json,
parsing it into client, and checking what extension we should use to get
character icons during loading. Sometimes it correctly loads images,
sometimes it falls back and starts requesting PNG instead.

I couldn't precisely identify where it happens and what's the root
cause. As a workaround, this commit instead makes WebP the
first-priority extension and a fallback.





Sometimes, WebP icons won't load despite extensions.json clearly
defining it as the only extension used for all image data.

I suspect there's a race condition between fetching extensions.json,
parsing it into client, and checking what extension we should use to get
character icons during loading. Sometimes it correctly loads images,
sometimes it falls back and starts requesting PNG instead.

I couldn't precisely identify where it happens and what's the root
cause. As a workaround, this commit instead makes WebP the
first-priority extension and a fallback.







Remove CH-sending timer
2026-04-18T16:52:22+00:00

Osmium Sorcerer
os@sof.beauty

2026-03-16T14:12:22+00:00

2ef41402209b82279656ae4b1affe6484be1ed77

CH is an application-level keepalive packet that clients periodically
send for two reasons:

1. It tells the server they're still connected, preventing timeouts.

2. By measuring latency between sending CH and receiving CHECK, a client
   can display ping.

Keepalive is redundant because WebSocket can handle that via PING frames on a
transport layer. WebAO also completely ignores CHECK and sends CH every
five seconds, which is superfluous (AO2 Client sends it once every 45
seconds, in comparison).

Sending CH via `setInterval` was also problematic: browsers seem to
throttle it when the tab becomes inactive, preventing periodic pings and
leading to the server disconnecting inactive browser clients.





CH is an application-level keepalive packet that clients periodically
send for two reasons:

1. It tells the server they're still connected, preventing timeouts.

2. By measuring latency between sending CH and receiving CHECK, a client
   can display ping.

Keepalive is redundant because WebSocket can handle that via PING frames on a
transport layer. WebAO also completely ignores CHECK and sends CH every
five seconds, which is superfluous (AO2 Client sends it once every 45
seconds, in comparison).

Sending CH via `setInterval` was also problematic: browsers seem to
throttle it when the tab becomes inactive, preventing periodic pings and
leading to the server disconnecting inactive browser clients.







Merge pull request #298 from AttorneyOnline/reconnect
2026-04-06T14:22:55+00:00

stonedDiscord
Tukz@gmx.de

2026-04-06T14:22:55+00:00

815f56add06b92a48b964cb1343f70c86ea36435

Add reconnect UI




Add reconnect UI






Enable auto pick area and char
2026-04-01T11:48:47+00:00

David Skoland
davidskoland@gmail.com

2026-04-01T11:48:47+00:00

db931bb13b99f7a058b178bc2460958b6356ca46












remove UI related changes
2026-03-28T13:09:06+00:00

David Skoland
davidskoland@gmail.com

2026-03-28T13:09:06+00:00

6f407b54c3251b90463bc508852b031d72b0c673












Add Connected and Disconnected notices
2026-03-24T11:35:41+00:00

David Skoland
davidskoland@gmail.com

2026-03-24T11:35:41+00:00

28a140dc8ab8adf32c783c6887e29c245981ab51